Method for the generation of pseudo-random permutation of an N-digit word

ABSTRACT

A method for the generation of small permutations on digits, for example between 7 and 30 digits, uses basic functions that are classic, one-way functions (generally non-bijective) defined on bits, and uses these functions in a generalized Feistel scheme that has at least five rounds.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] An object of the invention is a method for the pseudo-randomcomputation of a permutation of a word comprising N digits. The field ofthe invention is that of cryptography. More particularly, the field ofthe invention is that of cryptography applied to the encryption of wordsformed by digits.

[0003] It is an aim of the invention to enable the robust encryption ofa word formed by N digits, N being contained in the interval [7, 30].

[0004] It is another aim of the invention to provide a fast encryptionof a word formed by N digits, N being contained in the interval [7, 30].

[0005] It is another aim of the invention to determine a robustpseudo-random permutation in a set whose cardinal is 10^(N); thiscardinal is therefore not a power of 2.

[0006] It is another aim of the invention to perform the enciphering ofidentifiers based on the use of digits, such as for example telephonenumbers.

[0007] It is another aim of the invention to generate a string of Ndigits that is a pseudo-random string, i.e. for a person who does notknow the secret key that is used to generate this string, this string,in practice, cannot be distinguished from a truly random string.

[0008] It is another aim of the invention to produce N-digit stringssuch that the production process ensures that the same string will notbe produced twice.

[0009] 2. Description of the Prior Art

[0010] In the prior art, the term “bit” is understood to mean a variablethat can take the value 0 or the value 1. These two values arephysically represented, in a computer or memory by an electrical signalthat can take two values, one associated with 0 and the other associatedwith 1. A binary word is an ordered succession of bits.

[0011] A digit is a variable that can take one of the following values0, 1, 2, 3, 4, 5, 6, 7, 8, 9. A digit can be encoded by bits. In thiscase, then, each digit has a corresponding binary word. This binary wordis generally four bits long but it may also be a word with a length ofeight bits (ASCII code) or more. A word in digits or digit word is anordered succession of digits.

[0012] A permutation is a bijection or one-to-one and on-to mapping on afinite set.

[0013] A <<pseudo-random permutation>> is a permutation generated by acomputer program that is fairly simple to compute from a secret key Khaving the following property: a person who does not known the key K isin practice incapable of distinguishing a permutation of this kind froma truly random permutation (with the same input and output sizes),because the number of computations needed in order to distinguish themby known methods far exceeds what is possible in realistic terms.

[0014] At present, if we consider the fact that 2⁸⁰ elementarycomputations (or more) are needed to resolve a problem, this number ofcomputations is excessively great for any intruders.

[0015] In the prior art, there are known permutations in sets whereinthe number of elements is a power of 2. There are also known attempts toadapt these permutations to sets wherein the number of elements is not apower of 2. Such a technique, used to encipher the elements of a set Ecomprising n elements, consists in using a permutation P working on asubset SE of E comprising a number of elements that is a power of 2. Todetermine Ck(x), i.e. the encryption of x belonging to E with the key k,the operation starts with the computation of the n-tuple V, with

V={Pk(i)}, where i describes E.

[0016] Since all the elements of V are different, an n-tuple W isproduced by replacing each element of V by the rank of this element inoV, where oV is the ordered n-tuple V. Then, it is obtained that Ck(x)is the xth element of W.

[0017] One drawback of this method is that to encipher/decipher a word,it is necessary to encipher/decipher all the words of the initial set.This leads to lengthy and costly computation times. Indeed, suchcomputations take a great deal of time, thus reducing the response timesof a server, in a client-server application. If the customer is anautonomous, portable apparatus such as a mobile telephone and if thecustomer has to implement such a method, the problem is even greatersince the customer has less computation power than a server.

[0018] Another known method for carrying out a permutation of a set Ecomprising a number of elements that is not a power of 2 is to considera subset SE of E, where SE comprises a number of elements that is apower of 2, and a permutation P of the set SE. Then Ck(x), i.e. theenciphering of x for a key k, is obtained for the following recursivealgorithm:

[0019] Algorithm Ck(x)

[0020] y=Pk(x)

[0021] if y is in E then send y

[0022] else send on Ck(y)

[0023] end

[0024] The weakness of this method lies in the convergence time of thealgorithm used. Indeed, it may happen that it is necessary to make manycomputations and, in this case, the computation time becomes excessivelycostly.

[0025] In the prior art, there are other known enciphering solutions notbased on permutations, i.e. not based on bijection. However, inasmuch asit is sought co carry out a reversible encryption, it must be ensuredthat the result of an enciphering is unique. Thus, at present, incertain applications, in order to ensure the uniqueness of theenciphering, certain industrialists or operators have, for many years,being been storing all the digit strings generated. They may thus ensurethat each string is new because, if they generate an already usedstring, they detect it and do not put this string into circulation againbut generate another string. However, such a method is costly and provesin the long run to be inconvenient because it soon calls for a greatdeal of available memory space and large and quickly accessible backupmeans located in highly secured premises. Furthermore, the number ofcomputations to be made increases with the number of values alreadygenerated, and therefore increases with time.

[0026] In particular, these three solutions do not perform well asregards the generation of permutations on credit card or telephone typenumbers. Indeed, the number of computations to be made may beexcessively costly and cryptographic security may not be ensured.Instead of these three solutions, it is possible to use a generator ofpseudo-random permutations on the digits, as shall be described. Thefact that twice the same value is not generated will be ensured by thebijective character of the generator (it generates permutations).

[0027] At present, all the standard cryptographic functions, in secretkey cryptography, take a certain number of bits at input and give acertain number of bits at output. This is the case, for example, of theSHA-1 function, the DES function, the AES function etc. Now, in certainindustrial-scale applications, for example in telephony, it is sought tohave not a certain number of bits but a certain number of digits atinput and output. For this purpose, one solution would be to rewritespecific functions, but designing and developing these functions couldtake up a lot of time, and they would necessarily be far less analyzedby the international cryptographic community. Or else, according to theinvention, it is possible to have inputs and outputs on the digits, butones that use classic cryptographic functions on the bits to ensuresecurity. It is such a method, for a particular problem, that isimplemented here.

[0028] For a better understanding of the subject and object of thepresent invention, a few points regarding the Feistel schemes arebriefly recalled herein.

[0029] Let n be a natural integer. Let I_(n)={0, 1}^(n) be the set ofstrings of n bits.

[0030] Let f₁ be any function of I_(n) towards I_(n).

[0031] Let G and D be two elements of I_(n).

[0032] [G, D] denotes the element of I_(2n) whose n first bits are equalto G, and the n following bits are equal to D.

[0033] ψ(f₁) denotes the bijection of I_(2n) towards I_(2n) such that:for any [G, D] of I_(2n), and for any [U, V] of I_(2n), W(f₁)[G,D]=[U,V] if and only if:

S=DetT=G⊕f ₁(D),

[0034] where ⊕ designates the <<XOR>> operation (or bit to bit modulo 2operation).

[0035] ψ(f₁) is truly a bijection, for the inverse function is thefunction g such that:

g[U,V]=[T⊕f ₁(S),S]=[G,D].

[0036] Finally, since T is an integer that will be called the number ofrounds of the Feistel scheme, and since f₁, f₂, . . . f_(T) are Tfunctions of I_(n) to I_(n), which will be called the T round functions,ψ(f₁, f₂, . . . f_(T)) denotes the next bijection of I_(2n) to I_(2n):

ψ(f ₁ ,f ₂ , . . . f _(T))=ψ(f _(T)) . . . ∘ψ(f ₂)∘ψ(f ₁),

[0037] where ú∘ designates the law of composition of the functions.

[0038] The bijection ψ(f₁, f₂, . . . f_(T)) is called a <<T roundFeistel scheme>>.

[0039] A definition shall now be given of what is called a generalizedFeistel scheme. The idea that underlies this form, which is differentfrom the Feistel scheme, is the following. Instead of dividing the wordinto two equal parts of n bits in order to obtain 2n bits, it ispossible, more generally, at each round, to cut it into one partcomprising a bits, and another part comprising b bits, with a+b=N (Nbeing in this case the total number of input and output bits). It isalso possible to make a and b vary according to the round number I; thevalues of a and b varying according to the rounds will be denoted bya_(i) and b_(i). What is known as a generalized Feistel scheme is thenobtained. This definition may be specified as below:

[0040] n being any natural integer, I_(n)={0, 1}^(n) always denotes theset of n-bit strings.

[0041] Let a, b and n be three natural integers such that: a+b=n.

[0042] Let f₁ be any function from I_(b) to I_(a).

[0043] Let G be an element of I_(a), and D and element of I_(b).

[0044] [G, D] denotes the element of I_(n) for which the first a bitsare equal to G, and the following b bits are equal to D.

[0045] ψ′(f₁) denotes the bisection from I_(n) to I_(n) such that: forany [G, D] of I_(n), and for any [U, V] of I_(n), ψ′(f₁)[G, D]=[U, V] ifand only if:

U=G≠f ₁(D), and V=D

[0046] where ⊕ designates the <<XOR>> operation (or bit by bit modulo 2addition).

[0047] And λ being the function that makes a rotation on the bits of abits (the new first bit is the old (a+1)^(th) bit, the new second bit isthe old (a+2)^(th) bit etc.), the following is written:

ψ(f ₁)=λ∘ψ′(f ₁)

[0048] Finally, T being an integer which shall be called the number ofrounds of the generalized Feistel scheme, and f_(i), 1≦i≦T, being Tfunctions from I_(bi) to I_(ai), which shall be called the T roundfunctions, ψ(f₁, f₂, . . . f_(T)) denotes the following bijection ofI_(2n) to I_(2n):

ψ(f ₁ ,f ₂ , . . . f _(T))=ψ(f _(T)) . . . ∘ψ(f ₂)∘ψ(f ₁),

[0049] where ∘ designates the law of composition of the functions.

[0050] The bijection ψ(f₁, f₂, . . . f_(T)) is called a <<generalizedT-round Feistel scheme>>.

[0051] It is also possible here to envisage particular cases ofgeneralized Feistel schemes, for example alternating a bits and b bits.Thus, it is also possible to alternate functions that change a bits, andfunctions that change b bits as presented here below.

[0052] Thus, for example, at every odd-valued round, it is possible tohave a transformation of the following type:

ψ(f _(i))[G,D]=[U,V] if and only if:

[0053] U=G⊕f_(i)(D) et V=D, where f_(i) is a function of I_(b) towardsI_(a),

[0054] and at every even-valued round, it is possible to have atransformation of the type:

ψ(f _(j))[G,D]=[U,V] if and only if:

[0055] U=G and V=D⊕f_(j)(G), where f_(j) is a function of I_(a) toI_(b).

[0056] In the invention, these problems are resolved by using ageneralized Feistel scheme. The generalized Feistel scheme used is ascheme comprising at least five rounds and, in a preferred example, sixrounds. However, greater resistance to cryptographic analysis issometimes obtained with a greater number of rounds. Thus, it is possibleto go up to 30 rounds to remain within computation times compatible withresponse times of a system implementing the invention. The roundfunctions of the generalized Feistel scheme take a digits at input andgive b digits at output. They are made as follows, it being known thatthese functions must work on binary words:

[0057] 1. A binary word A is computed from these b digits, a key K and around number i; here, for example, it is a simple conversion of theconcatenation of these values into binary mode,

[0058] 2. B=f(A) is computed, f being a one-way function on bits; thisstep is generally the step most important for security, owing to theone-way character of the function f,

[0059] 3. C=g(B) is computed, g being a function that takes a binaryword at input and gives a word comprising a digits at output. This is,for example, a simple conversion into digits of a binary word; often, afunction f will be taken for the step 2 such that B has exactly theformat adapted to a direct conversion of this kind.

[0060] Thus, the round function output binary words are transformed intodigits. Such a round function is based, for example, on the hashalgorithm SHA-1 (Secure Hash Algorithm). This construction gives apseudo-random function in a set of elements formed by digits. Thepermutation, namely the bijective character, is guaranteed byconstruction, by the use of a Feistel scheme. The pseudo-random aspect,for its part, is guaranteed because no known cryptographic attack can besuccessfully launched against this mode of encryption since at leastfive rounds are used here.

SUMMARY OF THE INVENTION

[0061] An object of the invention therefore is a method for thegeneration of a pseudo-random permutation of an N-digit word in which:

[0062] a generalized Feistel scheme (202-205) is implemented, wherein:

[0063] the round functions of the generalized Feistel scheme implementedare functions (Fi) such that:

[0064] the input words of the round functions are produced by theconversion of digit words into binary words,

[0065] then a one-way function is applied to these binary words,

[0066] finally, the output in digits is a function of these binarywords.

[0067] a digit word to be enciphered is read in a memory (104),

[0068] the generalized Feistel scheme used comprises at least T=5rounds.

BRIEF DESCRIPTION OF THE DRAWINGS

[0069] The invention will be understood more clearly from the followingdescription and from the accompanying figures. These figures are givenpurely by way of an indication and in no way restrict the scope of theinvention. Of these figures:

[0070]FIG. 1 illustrates means useful for the implementation of themethod according to the invention;

[0071]FIG. 2 illustrates steps of the method according to the invention.

MORE DETAILED DESCRIPTION

[0072] In general, the actions described are undertaken by a devicecomprising a microprocessor and a memory comprising instruction codes tocommand this microprocessor. These instruction codes correspond to theimplementation of the steps of the method according to the invention. Aword, whether binary or in digits, is an electrical representation oragain an electrical signal, or a variable in a memory or a register.When an action is attributed to an apparatus, this action is performedby a microprocessor of this apparatus controlled by instruction codesrecorded in a memory of this apparatus.

[0073]FIG. 1 shows an apparatus 101 implementing the method according tothe invention. The steps of the method according to the invention aretherefore implemented by the apparatus 101. Such an apparatus is, inpractice, the server of an operator of a telecommunications network.However, the method according to the invention can be implemented by anydevice or system corresponding to FIG. 1. Examples of apparatuses thatcan implement the method according to the invention include a mobiletelephone, a personal assistant, a computer whether it is laptop,desktop or a rack computer. This list is not exhaustive.

[0074]FIG. 1 shows that the apparatus 101 has a microprocessor 102, aprogram memory 103, a memory 104 of input digit words, a memory 105 ofoutput digit words, a key memory 106, a memory 107 of the number ofrounds, and interface circuits 108. The elements 102 to 108 areinterconnected by a bus 109.

[0075] In FIG. 1 the memories 103 to 107 are represented as separatememories. In practice, these memories may very well be one and the samememory component, or a memory component and registers of a specializedcircuit (ASIC).

[0076] The memory 104 enables the recording of a digit word that must beenciphered/encrypted by the method according to the invention. Thememory 105 enables the recording the result of the enciphering, by themethod according to the invention, of the word recorded in the memory104. The memory 106 enables the recording of a key used by theenciphering method according to the invention. The memory 107 enablesthe recording of the number of rounds of the Feistel scheme/networkaccording to the invention.

[0077] The memory 103 is divided into several zones corresponding todifferent functions implemented by the microprocessor 102. A zone 103 ahas instruction codes corresponding to the implementation of a Feistelscheme. A zone 103 b comprises instruction codes corresponding to theimplementation of a hash function, in the present example SHA-1. A zone103 c corresponds to the implementation of communications functions,especially the instruction codes of the zone 103 c enabling the controlof the circuits 108. A zone 103 d comprises instruction codes for theimplementation of a round function.

[0078] The memory 103 has other working and storage zones not shown inFIG. 1.

[0079] The circuits 108 connect the apparatus 101 to external devicessuch as a network, a keyboard and a screen. It is through these circuits108, and the instruction codes of the zone 103 c, that it is possible toread and/or write in the memories 104 to 107 which are also memories forthe parametrization/configuration of the method according to theinvention.

[0080]FIG. 2 illustrates the working of a generalized Feistel schemeaccording to the invention. FIG. 2 shows a preliminary step 201 in whichthe user enters the digit word to be enciphered. This entry consists inwriting the digit word M to be enciphered in the memory 104. In the step201, the user also enters information into the contents of the keymemory 106, as well as the contents of the memory 107 of the number ofrounds. These circuits are updated through the circuits 108.

[0081] There is then a passage to the first step of the encipheringmethod proper. This is a step 202 for subdividing and converting thedigit word M into binary words G0 and D0. This subdivision is such thatM=[G0, D0]. By construction and definition, G0 is the left-hand part ofM and D0 is the right-hand part of M. It shall be considered, forexample, that M has 10 digits, i.e. that N is equal to 10. In the caseof a standard Feistel scheme, the word to be enciphered is subdividedinto two parts of equal length. We shall discuss the generalized Feistelscheme further below. In the present example, G0 and D0 are thereforebinary words, each corresponding to five digits. In this example, wetherefore have A=B=5, where A is the length in digits of the word G0,and B is the length in digits of the word D0.

[0082] A digit word is a binary representation in memory. Thisrepresentation is, most of the time, a sequence of quartets or nybbles(4-bit units), or respectively a sequence of eight-bit bytes (eightbits, for the ASCII code). Each quartet or eight-bit byte respectivelythen corresponds to a digit. If we consider the case of the use of aquartet, in a known way, the conversion of a digit word into a binaryword is done simply by the juxtaposition of the binary wordscorresponding to each digit. Thus 0 corresponds to the quartet 0000, 1to the quartet 0001, 2 to the quartet 0010 and so on and so forth until9 which corresponds to the quartet 1001. With this mode of encoding, thebinary conversion, for example of the digit word 12345, is the binaryword 00010010001101000101 formed by five quartets.

[0083] There is another way of converting a digit word into a binaryword. This other way is that of the preferred embodiment of theinvention. In this other way of conversion, a digit word is converted byusing a binary word having the same decimal value as the digit wordread. Thus, the digit word 12345 is converted into a binary wordcorresponding to their decimal value, namely the binary word11000000111001.

[0084] At the end of the step 202, the digit word M is subdivided intotwo binary words G0 and D0. For example, if the word in digits is1234567890, then G0 is the conversion in binary form of 12345, and D0 isthe conversion in binary form of 67890. The method then passes to a step202 or first round of the Feistel scheme according to the invention.

[0085] In the step 202, a binary word G1 is computed. This word G1 isactually equal to D0. A binary word D1 is also computed such thatD1=G0⊕F1(D0). In this expression, the symbol ⊕ corresponds to anexclusive-or or “XOR” function. The function F1 is the round function ofthe first round of the Feistel scheme according to the invention.Generally, Fi denotes the round function of the ith round of the Feistelscheme according to the invention. The function Fi is expressed forexample as follows:

Fi(x)=<SHA _(—)1(i∥K∥×∥j)>  (1)

[0086] In this expression SHA_(—)1( ) is the hash function of the samename. In practice, another hash algorithm such as MD5 for example may beused. It is also possible to use another function such as AES (AdvancedEncryption Standard) or TDES (Triple Data Encryption Standard). Theseare standard pseudo-random functions of cryptography on binary words.More generally, it is possible to use any function or a pseudo-randomfunction on bits.

[0087] ∥ is a concatenation operator, K is the key that is read in thememory 106, i is the index of the round of the Feistel function. Thenotation <∥j> signifies that j is initialized at 0, and then that the 17most significant bits are extracted from the output of the functionSHA_(—)1. If these 17 bits correspond precisely to five digits, thisoutput is kept. If not j is increased by one unit and the expression (1)is re-evaluated until this property is obtained. This iteration on jactually corresponds to a conversion of a binary number into a digitnumber. The input words of the round functions are therefore produced bythe conversion of the digit words into binary words. The output binarywords of the round functions are therefore converted into digit words.In order that 17 bits may correspond precisely to five digits, theconversion of this 17-bit word into decimal notation must be expressedwith five figures.

[0088] The fact that 17 bits are extracted is related to the fact thatthe work is done with words having a length of five digits. Moreparticularly, this is related to the fact that the round functionconsidered produces a five-digit word. In practice, the number ofextracted bits is related to the length of the word in digits producedby the following consideration: the number of bits extracted correspondsto the length of a binary word enabling the encoding of the greatestdecimal value that can be represented with the number of digits of theword produced. Thus, with five digits, the greatest decimal value thatcan be represented is 99 999. 17 bits are needed to encode this value inbinary mode. If we consider, for example, a seven-digit word, then thegreatest decimal value that can be represented is 9 999 999. In thiscase, it is necessary to extract 24 bits. This reasoning can be appliedto any number of digits.

[0089] In one variant, the iteration on j stops as soon as the extractedbits correspond to a decimal value that can be represented by the numberof digits to be produced by the round function.

[0090] It is recalled here that the words processed have a length offive digits for the word M has a length of 10 digits, and that it hasbeen separated into two words of five digits each.

[0091] The function described by the expression (1) is non-reversible,i.e. it is a one-way function for it implements a hash function which isitself non-reversible. The term “non-reversible” means that it isimpossible to determine the input of a function by knowing its output.In general, the irreversibility of the round function is related to thefact that a certain number of bits is extracted from its output, andthat it therefore cannot be a bijection.

[0092] At the end of the step 203, there is therefore a word M1=[G1,D1]. The invention then passes to a step 204 for the computation of aword M2=[G2, D2] with G2=D1, and D2=G1⊕F2(D1). The step 204 is thesecond round of the Feistel scheme according to the invention. The step204 is identical to the step 203 except that the step 204 works on theword M1 while the step 203 works on the word M.

[0093] In general, in a Feistel scheme, the ith round produces a wordMi=[Gi, Di] with G_(i)=D_(i−1), and D_(i)=G_(i−1)⊕F_(i)(D_(i−1)).

[0094] In the present example, we consider a five-round Feistel scheme.Hence T is equal to 5. Thus, after the step 204 the third and fourthrounds are performed as described for the general case.

[0095] During the Tth round, in this case the fifth round, and the step205, a word M_(T)=[G_(T), D_(T)] is produced, withGT=G_(T−1)⊕F_(T)(D_(T−1)), and D_(T)=G_(T−1). The word M_(T) can thus beused as an input of the Feistel scheme with the key K and the initialword M will be retrieved at output. The word M_(T) is the result of theenciphering of the word M by the method according to the invention. Atthe end of the step 205, the word M_(T) is written in the memory 105. Ina summary writing of the method of the invention, the following iswritten:

M _(T) =Chi(M,K,T)

[0096] This expression must be read as follows: M_(T) is the result ofthe enciphering (Chi) of M by the method according to the invention withthe key K, and a number of rounds equal to T. The deciphering functionis then the same, and we have:

M=Chi(M _(T,K,T))

[0097] The memory 105 is read through the circuits 108, enabling theresult of the enciphering to be used.

[0098] In the present example, the Feistel scheme comprises T=fiverounds. In a preferred mode of implementation, the Feistel schemecomprises six rounds. In practice, it is possible to go up to 30 rounds.However, it is necessary to be able to attain a compromise with speed ofexecution. Indeed, the greater the number of rounds, the greater theincrease in computation time. In practice, six rounds are enough toavert all known attacks that are not based on brute force. With thecomputation power now available, it is possible to go up to 30 roundswithout appreciably impairing the response time of a system implementingthe method according to the invention. In practice, the number of roundsT is therefore smaller than 30.

[0099] In the exemplary description, the word M is deemed to comprise 10digits. In practice, the word M may comprise an odd number of digits. Inpractice again, it is possible to carry out a non-symmetrical divisionof the word M. In both these cases, a generalized Feistel scheme isimplemented, i.e. A is different from B. It is noted that the case A=Bis a particular case of the generalized scheme.

[0100] Let it be considered, for example, that M comprises N=11 digits.Let it then be considered that A is equal to 5 and B is equal to 6. Wehave N=A+B. We also have G0 with a length of five digits and D0 has alength of six digits. At the end of the first round of the generalizedFeistel function, we have G1=D0 comprises six digits, and D1=G0⊕F1(D0)comprises five digits. In this case, the function F1 works on a wordwith a length of six digits to produce a word with a length of fivedigits and therefore 17 bits are extracted from the output of thefunction SHA_(—)1, as described here above.

[0101] At the end of the second round of the Feistel scheme, we haveG2=D1, comprises five digits. We also have D2=G1⊕F2(D1) comprises sixdigits. In this case, the function F2 works on a word with a length offive digits to produce a word with a length of six digits. Hence 20 bitsare extracted from the output of the function SHA_(—)1 according to theconsiderations already seen.

[0102] In the case of a generalized Feistel scheme, the subdividing ofthe word to be enciphered is not symmetrical. The round functionstherefore do not work on the same number of digits depending on whetherthe index of the round is an even value or an odd value. Thus, duringrounds with an odd-valued index, the round function of the Feistelscheme works on a word with a length of B digits to produce a word witha length of A digits. During rounds with an even-valued index, the roundfunction of the Feistel scheme works on a word with a length of A digitsto produce a word with a length of B digits.

[0103] In general, A and B can take any values so long as A+B=N. It ispreferred to subdivide a digit word symmetrically. Should N be aneven-parity value, this poses no problem. We have A=B=N/2. Should N bean odd-parity value, it is stated then that A is equal to the integerpart of N/2, while B is equal to N−A. Thus we truly have A+B=N. Withthis mode of subdivision, B is never greater than A by more than oneunit. We thus have an integer subdivision that is as close as possibleto a symmetrical subdivision.

[0104] This enciphering method is used to encipher commonly used digitwords. Such words are telephone numbers (8 to 10 digits), visa cardnumbers (16 digits), social security numbers (13 digits in France), bankaccount numbers, electronic vouchers, etc: the list is not exhaustive.Furthermore, these numbers may be concatenated into a greater number soas to obtain a 30-digit word.

[0105] In general, with the method according to the invention, thelonger the word to be enciphered, i.e. the greater the length of N, thegreater the resistance to cryptographic analysis.

[0106] For an input word, a given enciphering key and a number of roundsof the Feistel scheme, it is always the same enciphered word that isobtained. So as to reinforce the enciphering and, above all, to preventbehavioral research based on an electronic identifier, a digit number tobe enciphered can be concatenated with a random digit number. Forexample, to encipher a telephone number, it is first concatenated withthe number of seconds that have elapsed since the beginning of thecurrent hour. Then the result of this concatenation is enciphered. Thus,the same enciphered word is only obtained very rarely for a giventelephone number. The type of random number used is any random number.It may be obtained, for example, by means of a simple counter of anumber drawn from a pre-computed pseudo-random sequence, the counterincreasing with each instance of use. This list is not exhaustive.

[0107] Thus, among the possible uses of the method according to theinvention, there is the possibility of enciphering information betweenthe sender of this information and its addressee. There is also thepossibility of isolating two networks from each other. This isolation isachieved, for example, by a server of the operator of a first network.With the method according to the invention, this server transcodes anidentifier of the first network to produce an identifier on the secondnetwork. Thus, the entities acting on the second network, except for theoperator of the first network, are incapable of identifying the user ofthe first network.

[0108] The invention can therefore be applied very particularly and veryadvantageously to telephony. Thus, in the context of protecting theprivacy of subscribers with a telephony operator and combating spam, allthe protocols use the MSISDN (the subscriber's international telephonenumber) encoded on 15 digits as a subscriber identifier and thisinformation could then be misused by the service provider in order toset up a user profile or send spam type messages. It may be sought toconceal this value by enciphering but the result must then be compatiblewith the format of the telecommunications protocols. In particular, theoperator should be capable of easily deciphering this value. These twoaims are achieved with the method according to the invention.

[0109] The case of the electronic voucher is also a good exemplaryapplication of the invention. The interface at the level of a mobiletelephone is limited to the numerical keypad. The user is thereforelimited in his keying-in operation to digits. In the generation of anelectronic voucher (a voucher number is equivalent to a financial value,for example 30 euros), each keying in of a voucher is used to credit asum to an account. The management of the vouchers with the serviceprovider is simplified if the generator of these values uses symmetricalalgorithms working on digits. A counter runs from 1 to M, and theenciphering of the counter gives pseudo-random data that are alldifferent. It is thus possible to generate pseudo-random codes on Ndigits, easily manageable by the service provider because it is only thelast counter value used that is stored and not all the values ofvouchers already generated to ensure the uniqueness of these vouchers.

[0110] In general, in “large” databases, the storage is done inunencrypted form. The structure may be composed (with digital andalphanumerical non-homogeneous formats) and the safety requirementsdictate enciphering. In this case too, digital enciphering enables theefficient protection of the data, and this is achieved without anymodification of the structure and for at very low cost in economicterms.

[0111] These exemplary modes of implementation of the invention do notlimit the fields of application of the invention.

1. A method for the generation of a pseudo-random permutation of ann-digit word in which: a generalized Feistel scheme is implemented,wherein: the round functions of the generalized Feistel schemeimplemented are functions (Fi) such that: the input words of the roundfunctions are produced by the conversion of digit words into binarywords, then a one-way function is applied to these binary words,finally, the output in digits is a function of these binary words. adigit word to be enciphered is read in a memory, the generalized Feistelscheme used comprises at least T=5 rounds.
 2. A method according toclaim 1, wherein the one-way function on the binary words uses astandard pseudo-random cryptography function on binary words.
 3. Amethod according to claim 1 wherein the standard pseudo-random functionon the binary words uses the SHA-1 function.
 4. A method according toclaim 1 wherein the number of rounds T of the Feistel heme is smallerthan or equal to
 30. 5. A method according to one of the claims claim 1,wherein the number of rounds T of the Feistel heme is equal to
 6. 6. Amethod according to claim 1 wherein, during odd-valued rounds of theFeistel scheme, the round function works on a word with a length B, andduring even-valued rounds of the Feistel scheme it works on words with alength of A digits, where A+B=N.
 7. A method according to claim 6,wherein A is equal to the integer part of N/2 and B is equal to N−A. 8.A method according to claim 1, wherein N is an integer contained in theinterval [7, 30].
 9. A method according to claim 1, wherein N is aninteger contained in the interval [10, 30].
 10. A method according toclaim 1, wherein N is an integer contained in the interval [13, 30].